fixup! core/crypto/_edwards25519: Initial import

odin-lang · Apr 7, 2024 · 2dfc905 · 2dfc905
1 parent fc071d6
commit 2dfc905
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 10 deletions.
diff --git a/core/crypto/_edwards25519/edwards25519.odin b/core/crypto/_edwards25519/edwards25519.odin
@@ -139,20 +139,19 @@ ge_set_bytes :: proc "contextless" (ge: ^Group_Element, b: []byte) -> bool {
 	// x = invsqrt(den/num)
 	is_square := field.fe_carry_sqrt_ratio_m1(
 		&tmp.x,
-		field.fe_relax_cast(fe_tmp),
 		field.fe_relax_cast(&tmp.x),
+		field.fe_relax_cast(fe_tmp),
 	)
 	if is_square == 0 {
 		return false
 	}
 
+	// Pick the right x-coordinate.
+	field.fe_cond_negate(&tmp.x, &tmp.x, int(b[31] >> 7))
+
 	// t = x * y
 	field.fe_carry_mul(&tmp.t, field.fe_relax_cast(&tmp.x), field.fe_relax_cast(&tmp.y))
 
-	// Pick the right x-coordinate.
-	x_polarity := byte(field.fe_is_negative(&tmp.x))
-	ge_cond_negate(&tmp, &tmp, int(x_polarity ~ (b[31] >> 7)))
-
 	// Reject non-canonical encodings of ge.
 	buf: [32]byte = ---
 	field.fe_to_bytes(&buf, &tmp.y)
@@ -395,10 +394,10 @@ ge_cond_select :: proc "contextless" (ge, a, b: ^Group_Element, ctrl: int) {
 ge_equal :: proc "contextless" (a, b: ^Group_Element) -> int {
 	// (x, y) ?= (x', y') -> (X/Z, Y/Z) ?= (X'/Z', Y'/Z')
 	// X/Z ?= X'/Z', Y/Z ?= Y'/Z' -> X*Z' ?= X'*Z, Y*Z' ?= Y'*Z
-	ax_bz, ay_bz, bx_az, by_az: field.Tight_Field_Element = ---, ---, ---, ---
+	ax_bz, bx_az, ay_bz, by_az: field.Tight_Field_Element = ---, ---, ---, ---
 	field.fe_carry_mul(&ax_bz, field.fe_relax_cast(&a.x), field.fe_relax_cast(&b.z))
-	field.fe_carry_mul(&ay_bz, field.fe_relax_cast(&a.y), field.fe_relax_cast(&b.z))
 	field.fe_carry_mul(&bx_az, field.fe_relax_cast(&b.x), field.fe_relax_cast(&a.z))
+	field.fe_carry_mul(&ay_bz, field.fe_relax_cast(&a.y), field.fe_relax_cast(&b.z))
 	field.fe_carry_mul(&by_az, field.fe_relax_cast(&b.y), field.fe_relax_cast(&a.z))
 
 	ret := field.fe_equal(&ax_bz, &bx_az) & field.fe_equal(&ay_bz, &by_az)

diff --git a/core/crypto/_fiat/field_curve25519/field.odin b/core/crypto/_fiat/field_curve25519/field.odin
@@ -53,12 +53,14 @@ fe_is_negative :: proc "contextless" (arg1: ^Tight_Field_Element) -> int {
 }
 
 fe_equal :: proc "contextless" (arg1, arg2: ^Tight_Field_Element) -> int {
-	tmp1: [32]byte = ---
+	tmp1, tmp2: [32]byte = ---, ---
 
-	fe_to_bytes(&tmp1, arg2)
-	ret := fe_equal_bytes(arg1, &tmp1)
+	fe_to_bytes(&tmp1, arg1)
+	fe_to_bytes(&tmp2, arg2)
+	ret := crypto.compare_constant_time(tmp1[:], tmp2[:])
 
 	mem.zero_explicit(&tmp1, size_of(tmp1))
+	mem.zero_explicit(&tmp2, size_of(tmp2))
 
 	return ret
 }